NYC Health + Hospitals Partner Suffers Cyberattack, Exposing Patient Data
In November 2025, the National Association on Drug Abuse Programs (NADAP), a care management partner of NYC Health + Hospitals, fell victim to a cyberattack that compromised the sensitive data of 5,086 patients. NADAP provides critical services, including care coordination, substance abuse treatment support, and workforce training for Medicaid enrollees under NYC Health + Hospitals’ Lead Health Home program.
The breach was detected on January 10, 2026, prompting NADAP to take affected systems offline. An investigation revealed that unauthorized access exposed protected health information, including names, Social Security numbers, dates of birth, treatment details, diagnoses, medications, and Medicaid ID numbers. A pending class action lawsuit also suggests financial data, such as tax information, may have been compromised.
NYC Health + Hospitals issued a breach notification to affected patients on March 11, 2026, and reported the incident to the Office for Civil Rights (OCR). The breach has yet to appear on the federal healthcare data breach tracker but is expected to be listed once processed.
NYC Health + Hospitals cybersecurity rating report: https://www.rankiteo.com/company/nyc-health-and-hospitals-corporation
"id": "NYC1773398395",
"linkid": "nyc-health-and-hospitals-corporation",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5086',
'industry': 'Healthcare',
'location': 'New York, USA',
'name': 'National Association on Drug Abuse Programs '
'(NADAP)',
'type': 'Non-profit/Healthcare Partner'}],
'customer_advisories': 'Breach notification issued to affected patients on '
'March 11, 2026',
'data_breach': {'number_of_records_exposed': '5086',
'personally_identifiable_information': ['Names',
'Social Security '
'numbers',
'Dates of birth',
'Medicaid ID numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Protected health information',
'Personally identifiable '
'information',
'Potential financial data']},
'date_detected': '2026-01-10',
'date_publicly_disclosed': '2026-03-11',
'description': 'In November 2025, the National Association on Drug Abuse '
'Programs (NADAP), a care management partner of NYC Health + '
'Hospitals, fell victim to a cyberattack that compromised the '
'sensitive data of 5,086 patients. NADAP provides critical '
'services, including care coordination, substance abuse '
'treatment support, and workforce training for Medicaid '
'enrollees under NYC Health + Hospitals’ Lead Health Home '
'program. The breach exposed protected health information, '
'including names, Social Security numbers, dates of birth, '
'treatment details, diagnoses, medications, and Medicaid ID '
'numbers. A pending class action lawsuit also suggests '
'financial data, such as tax information, may have been '
'compromised.',
'impact': {'data_compromised': 'Protected health information (names, Social '
'Security numbers, dates of birth, treatment '
'details, diagnoses, medications, Medicaid ID '
'numbers), potential financial data (tax '
'information)',
'identity_theft_risk': 'High',
'legal_liabilities': 'Pending class action lawsuit',
'operational_impact': 'Affected systems taken offline'},
'investigation_status': 'Ongoing',
'references': [{'source': 'Breach notification'}],
'regulatory_compliance': {'legal_actions': 'Pending class action lawsuit',
'regulations_violated': ['HIPAA'],
'regulatory_notifications': 'Reported to the Office '
'for Civil Rights '
'(OCR)'},
'response': {'communication_strategy': 'Breach notification issued to '
'affected patients on March 11, 2026',
'containment_measures': 'Affected systems taken offline'},
'title': 'NYC Health + Hospitals Partner Suffers Cyberattack, Exposing '
'Patient Data',
'type': 'Data Breach'}